> Thanks for your post - I very nearly posted a similar article about the
> Sinowal virus this morning!

Despite what you may find experts saying, this is not a virus. A virus is
a very specific type of malware - this does not qualify.

> My understanding is that this virus can, and indeed does, install itself
> silently - without the knowledge of the user of the computer.

It is a trojan horse program - to begin with.

....then, once installed, it is many other things.

> If the machine continues to all intents and purposes to 'work' the malware
> is unlikely to be discovered. However, let's suppose that I mention this
> 'nastie' to a friend and he says "How can I check to see if I have been
> infected?".
>
> What answer should I give him?

The most important aspect of the program (once installed) is its ability
to hide - it uses the MBR to implement a 'rootkit' - you need to detect
this rootkit.

David Lipman recommends GMER often enough for me to think that
it is a good rootkit detector. I suspect he would know better than most
posters here.

- just a hunch ;-)

> I had hoped that you might have said something along these lines:-
>
> "If you suspect that you have a system that is infected with this rootkit,
> to prevent it from loading, all that is required is to write a known-good
> copy of a master boot record back to the disk to prevent the rootkit
> driver from being loaded on the next reboot! Fortunately, we have made
> that a fairly painless process with the Windows Recovery Console and the
> 'fixmbr' command!

That may work well for this malware, but care should be taken when
attempting to remove small fragments of malware while other larger
fragments can still execute. Retaliatory payloads could easily be added
to its current functionality.

If it was able to modify the MBR in the first place, what's to stop it
from modifying it again after you have fixmbr'ed and rebooted? The
fragment in the MBR is usually just there to help it hide, so you have
not de-fanged it by fixmbring - you have only uncloaked it.

From: "FromTheRafters" <erratic>

>> Thanks for your post - I very nearly posted a similar article about the
>> Sinowal virus this morning!

| Despite what you may find experts saying, this is not a virus. A virus is
| a very specific type of malware - this does not qualify.

>> My understanding is that this virus can, and indeed does, install itself
>> silently - without the knowledge of the user of the computer.

| It is a trojan horse program - to begin with.

| ...then, once installed, it is many other things.

>> If the machine continues to all intents and purposes to 'work' the malware
>> is unlikely to be discovered. However, let's suppose that I mention this
>> 'nastie' to a friend and he says "How can I check to see if I have been
>> infected?".

>> What answer should I give him?

| The most important aspect of the program (once installed) is its ability
| to hide - it uses the MBR to implement a 'rootkit' - you need to detect
| this rootkit.

| David Lipman recommends GMER often enough for me to think that
| it is a good rootkit detector. I suspect he would know better than most
| posters here.

| - just a hunch ;-)


http://www2.gmer.net/mbr/

On 11/03/2008 04:29 PM, ~BD~ sent:

Snip, snip...

Hello Dave:

Please permit me a few passing observations:

> Thank you for your reply, Mr Lipman.
>
> You have once again carefully avoided telling me and other readers anything
> at all about you and/or your technical expertise/qualifications.

David, and others in similar newsgroups, have proven their worth by the
consistent and accurate solutions they have provided us. Their
reputations *are* their qualifications.

> I'd given an example only - not a solution to a specific scenario. So, I'll
> ask again ................
>
> If a computer shows NO sign of infection but a user wishes to check that
> there is, indeed, no malware present WHAT action should the PC user take?

Perhaps this can only be answered by two schools of thought. The purist
might advise "level and rebuild" but a more practical approach is to
employ the best user practices and a good collection of anti-malware
tools because a /negative/ is so difficult to prove.

If I were still in the business, and a user wanted my written
certification of due diligence, and that their system was to be
guaranteed malware free, the user would need to agree to have their
storage media erased, reformatted, and the software re-installed from
known good sources.

If I were a high level government/military representative or an employee
of a very sensitive high-tech industry with a great fear of key loggers
or other malware, I would backup my data and purify to the best of my
ability while the system undergoes a bare metal restoration.

Please forgive me if I have stolen this thread. I mean no harm or
insult to anyone.

> Dave

My warmest regards to all.

Pete

On Mon, 3 Nov 2008 22:19:57 -0500, FromTheRafters wrote:

>
> Despite what you may find experts saying, this is not a virus. A virus is
> a very specific type of malware - this does not qualify.
>> It is a trojan horse program - to begin with.
>
> ...then, once installed, it is many other things.
>> The most important aspect of the program (once installed) is its ability
> to hide - it uses the MBR to implement a 'rootkit' - you need to detect
> this rootkit.
>
> David Lipman recommends GMER often enough for me to think that
> it is a good rootkit detector. I suspect he would know better than most
> posters here.
>
> - just a hunch ;-)

Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotli...px?videoid=359
(Rootkit issues are discussed towards to the end of the presentation).

"~BD~" <~BD~> wrote in message
news:4372
>
> Thank you for your reply, Mr Lipman.
>
> You have once again carefully avoided telling me and other readers
> anything at all about you and/or your technical expertise/qualifications.
>

Just as you did in a earlier post

It really is quite tiresome how you keep goading, (or 'trolling' if you
prefer), David H. Lipman, though it is quite amusing - in that you seem to
completely lack the very small quantity of brain power required, to deduce
that he is light years ahead of yourself, ...in every regard :-)

regards, Richard


"~BD~" <~BD~> wrote in message
news:4372
[..]

"RJK" <notatospam> wrote in message
news:a576
> It really is quite tiresome how you keep goading, (or 'trolling' if you
> prefer), David H. Lipman, though it is quite amusing - in that you seem to
> completely lack the very small quantity of brain power required, to deduce
> that he is light years ahead of yourself, ...in every regard :-)
>
> regards, Richard
>

Hello Richard :)

Sorry - don't mean to be tiresome - just trying to get Mr Lipman to give me
a straight answer to my question(s)!

BTW - I think you exagerate a little!

Dave

PS Remind me of your experience at Aumha - did you get straight answers
there?

On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

> Sorry - don't mean to be tiresome

Of course you did, you're a troll, that's what trolls do.

> - just trying to get Mr Lipman to give me
> a straight answer to my question(s)!

You of all posters here, have no right to demand anything of anyone.

"FromTheRafters" <erratic> wrote in message
news:4304

> That may work well for this malware, but care should be taken when
> attempting to remove small fragments of malware while other larger
> fragments can still execute. Retaliatory payloads could easily be added
> to its current functionality.
>
> If it was able to modify the MBR in the first place, what's to stop it
> from modifying it again after you have fixmbr'ed and rebooted? The
> fragment in the MBR is usually just there to help it hide, so you have
> not de-fanged it by fixmbring - you have only uncloaked it.
>

Of whom are you asking this question FTR? (or perhaps it was rhetorical)

You will appreciate that I simply quoted from the source - Microsoft TechNet

http://blogs.technet.com/antimalware...-a-report.aspx

Thank you for your comments though!

Dave

.....oooh, had just finished a major fight with a PC (I won !) ,...didn't
mean to be so horrid :-)

regards, Richard



"~BD~" <~BD~> wrote in message
news:4848
[..]

Many thanks for your reply FTR. My responses are in-line.

"FromTheRafters" <erratic> wrote in message
news:4504
> "~BD~" <~BD~> wrote in message
> news:4372
>> Not to me.


Thanks - but I didn't want you to feel that I'm not taking note of your
posts!



>> If so ......... I do so unreservedly! Lack of retention? A result of
>> advancing years, I fear!
>
> *That* I can understand. :o)


Do YOU have grandchildren too?


>> As it seems that you agree that, even if a new hard drive be installed, a
>> computer may remain infected ...
>
> I am not personally aware of any case where the modified code (external
> to the harddrive) can serve any useful purpose once 'disconnected' from
> the rest of the code on the affected harddrive. It is however
> theoretically
> possible.


A certain Mr Bill Castner at Aumha became extremely agitated when I
suggested to someone who had experienced the dreaded BSOD that it may have
been caused by a 'duff' (or 'infected'?) Memory stick. I was surprised by
his attitude. I'd personally experienced such a phenomena and had eventually
determined the cause simply by trial and error.



> In case you didn't follow the link I posted previously on this subject,
> here
> it is again:
>
> [..]


I *had* followed the link you had posted before FTR - and had saved the PDF
document for later study. Thanks, though, for the 'reminder'! It was a busy
'family' time last week and I hadn't got round to reviewing same. Even now
I've only had time for a cursory look, but it seems very interesting. I
really appreciate your help with this. Thank you.



> The code that runs before the code on the harddrive runs, can be used
> by malware to 'get in front of' other code during the OS loading process.
> That is - it pays to be first - but only a fragment of the malware
> 'program'
> is able to fit in there. Once the harddrive is *clean* you may still have
> the
> malware fragment 'doing something' - but it may be severely limited now
> that the rest of the malicious program's code is missing.


No doubt it can take its time ........ and grow slowly!


> So, even replacing an affected harddrive with one shiny new from the
> box does not completely *clean* a computer. It doesn't *necessarily*
> follow that the remaining code can rejuvenate the malware responsible
> for the initial infestation either though.


No, true ........ but it *might* !!!!


>> - please offer your thoughts as to where you believe malicious code may
>> hide, ready to infect the hard drive again whenever it so choses. Thanks
>
> Code doesn't have to infect, infest, or respawn to be considered
> 'malicious'.
> Let's just assume the computer won't boot properly now, or your graphics
> card won't get the resolution it used to. The malware relocated some of
> the
> card's code so that *it* could have this 'front row seat' for nefarious
> purposes.


Maybe that explains why the picture on my CRT monitor became somewhat
blurred from time to time during my experimentation! Vee..ery interesting!


> Now that the rest of the code has been removed from the harddrive by
> format, fdisk /mbr, or replacement of the harddrive you lose whatever
> functionality it had.


That's understandable. The harddrive might well pick up new, unwanted, code
during further travels around the Internet though - and mate with any left
lurking within a machine. That's my supposition anyway! ;)


>> So ..... where *can* we discuss your stories, FTR? Another
>> newsgroup/forum? Email?
>
> That's just it - we can't - because *I* can't - under penalty of
> imprisonment
> or worse. I take my promises seriously, and so does my government. :o)


I know not to which Government you refer. For my part I am bound by the
British Official Secrets Act. You may find the somewhat OT information here
of some interest:-
http://www.espionageinfo.com/Ul-Vo/U...-Security.html

Cheers

Dave

--

"Paul Adare" <pkadare> wrote in message
news:9dlg
> On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

>> - just trying to get Mr Lipman to give me
>> a straight answer to my question(s)!
>
> You of all posters here, have no right to demand anything of anyone.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> [..]


I have *every* right to ask questions, Mr Paul Adare.

Indeed, I feel it my duty to do so.

I have made no *demands* of anyone. Are you feeling guilty?

D.

--

"~BD~" <~BD~> wrote in message
news:1164
>
> "FromTheRafters" <erratic> wrote in message
> news:4304
>> Of whom are you asking this question FTR? (or perhaps it was rhetorical)

It was rhetorical, I attempted to point out that such an approach could be
dangerous. If someone attempted to use this method against the wrong
malware (or perhaps a wrong variant of *this* malware), bad things could
happen.

This one uses the MBR both as a way to add stealth and as a way to
start the program. It is not necessary that the autostart method for the
bulk of a malware's payload be in the MBR. Replacing the MBR will
inhibit the program from starting. But *if* the rootkit used the MBR
only for the stealth function and some other method was used for the
persistence, simple replacement of the MBR could prove a disaster
if retaliatory payloads are used.

My replies in-line!

"FromTheRafters" <erratic> wrote in message
news:4576
>> Thanks for your post - I very nearly posted a similar article about the
>> Sinowal virus this morning!
>
> Despite what you may find experts saying, this is not a virus. A virus is
> a very specific type of malware - this does not qualify.


My bad. Sorry!


>> My understanding is that this virus can, and indeed does, install itself
>> silently - without the knowledge of the user of the computer.
>
> It is a trojan horse program - to begin with.
>
> ...then, once installed, it is many other things.


My bad x2. Sorry!



>
> The most important aspect of the program (once installed) is its ability
> to hide - it uses the MBR to implement a 'rootkit' - you need to detect
> this rootkit.
>
> David Lipman recommends GMER often enough for me to think that
> it is a good rootkit detector. I suspect he would know better than most
> posters here.
>
> - just a hunch ;-)
>

So ......... now what many will think a stupid question.

How can one be certain that GMER is simply a great tool to detect rootkits?
(and doesn't damage a machine!)

I caught this item 'in passing' as it were:-

**************************************************
Sanctuary (thank you Paul Vixie and ISC) welcomes gmer.net.
I also thank Matt Jonkman for his excellent assistance,
and Register.com for being on the phone all day with us.

gmer, this one is for you brother.

GMER Application: download
Catchme: download

gmer has asked that this page remain, so to visit the site, click here.

-Paul Laudanski, 12:55PM EST Sunday, 21Jan2007

If there are problems with the site, please contact me.

************************************************** *

So then a trip here: http://www.linkedin.com/pub/1/49a/17b to dicover lots
about Paul Laudanski.

Seems pretty conclusive to me!

Dave

PS How nice it would be if similar info was available about Mr Lipman!